October 12, 2007

AQ Breach Not 'Fatal'

Eli Lake at the New York Sun follows up today on the exposure of private efforts to penetrate al-Qaeda's global Internet network. An independent analytical group that has focused on AQ operations now says that the damage was not as bad as first thought:

One of the world's foremost authorities on Al Qaeda says that last month's compromise of the intelligence community's penetration of the terrorist group's Internet communication system was a serious blow, but that, ultimately, the damage was not fatal.

The head of the International Center for Political Violence and Terrorism Research at Singapore's Nanyang Technological University, Rohan Gunaratna, said in an interview yesterday that the damage done on September 7, when ABC News published online quotes from a transcript of Osama bin Laden's first speech in three years, was "reparable." But he also called it a "serious breach."

"This has happened from time to time," Mr. Gunaratna said. "Each time they suspect penetration of their password-protected sites and other communications, they take security measures to minimize exposure, but they always come back. Each time, however, they are more cautious."

This still leaves the possibility that both sides played games to shake up the status quo. AQ's network mavens know that Western agencies, both private and government, have gone hard after their systems. They may have wanted to check their own staffs to see whether someone decided to play the other side. On the other hand, the deliberate exposure of the tape may have wanted to make AQ scramble in order to track their necessary movement, or as I wrote earlier, to force AQ into relying on human couriers long enough to discover where senior AQ leadership have been hiding.

Pete Hoekstra takes a less optimistic view. The ranking member of the House Intelligence Community told the Sun that Internet counterterrorism efforts have not received a high priority at Defense and the American intel agencies. Hoekstra called official action in this area "woefully weak," and except for a few free-lancers at the Pentagon, much less effective than the private companies that have doggedly traced AQ networks.

As an example, Hoekstra asked for a transcript of the Osama video the day it hit broadcast news. It took over a day to get it, and even then, the transcript was classified. Hoekstra had to have his staff go to the Internet for a transcript he could legally reference when talking with reporters about the video.

If Hoekstra's correct, we need to press for a more robust Internet intel effort from the US. If that means developing resources within the agencies, then we should fund those resources immediately. If that means contracting with people like Rita Katz of SITE or others with the experience, talent, and werewithal to do the job properly, Congress should start working on that solution. We cannot allow AQ to operate freely on the Internet that we created as an organizational and command tool to destroy us. Perhaps this breach wasn't fatal, but an inability to penetrate the AQ network will eventually prove literally fatal for Americans.


TrackBack URL for this entry:

Comments (14)

Posted by coldwarrior415 | October 12, 2007 9:37 AM

Captain, once again a hot button issue for this old warrior.

Old habits and sinecures hold sway in our intelligence community, moreso after 9-11 than prior, all as a result of the 9-11 Commission and the knee-jerk reaction to the recommendations of that Commission.

The distinct line between what was acquired clandestinely and what was obtained from open sources was a problem on my watch, and has become more of a problem today. I had a number of reports from the field downgraded, despite their being unique, previously unknown, and subtantiated because I included "open source' material. Was told that open source was a State Department function, I had to solely report on clandestinely obtained information. From what I have gathered in the interveening years, the same attitudes still hold.

Nonetheless, I and a number of my colleagues used RUMINT and OSINT as well as HUMINT successfully over the years, if not directly in our reporting at least in our ability to acquire tip-offs and trends and substantiation.

But, the real problem today is that the Intelligence Community since the 9-11 Commission has become awash in cash. The establishment of the ODNI is where most of that cash was diverted, and the Agency, as well as DIA, among others, was fleeced for warm bodies to fill newly established high-end GS slots at ODNI, new buildings have been built all along the Dulles Corridor, and billions have been wasted in the effort. Instead of focusing on new technologies, the ODNI has farmed out "open source" acquisitions to contractors, such as SITE, and academic institutions across the globe for things such as cruising the internet looking at the same things the jihadists and AQ are looking at.

Not a whole lot of promotions available for operations officers who sit at a desk and cruise the internet...that is a technical function, part of the Directorate of Administration, or something they do over on the analytical side of the house. Language skills are also lacking. Spoken Damascene or Cairene or Gulf Arabic is one thing, being able to read Arabic script in all its regional permutations is quite another. Farm it out instead of wasting time and money developing our own in house skill sets seems to be the current model.

Not a whole lot of Pashtun, Urdu, or other Central Asian, linguists either in the Intel Communty, even today. The current focus is on Chinese...looking toward the next war while farming out the current one.

As for damage, yes, this SITE leak did cause damage. And purposely or inadvertantly we did cause AQ to change channels. I am a bit more removed from NSA these days, but it is my understanding they are doing a lot of traffic analysis in the ethernet, and applying skills toward known nodes, and developing understanding of other nodes that seem to spike or look out of place in the normal patterns of international voice and electronic communications. That said, once a commo channel is disrupted, such as following the SITE leak, AQ will have to re-establish commo among the same group of participants. Frequencies change, to use the old NSA intercept model, but channels do not normally change. The same people need to communicate both up and down the line in order for a group or entitity such as AQ to function. Using traffic analysis and finding weak links in the commo chain can lead to new and better grasp of an enemy commo.

Hopefully, NSA is doing a far better job than the rest of the ODNI is, unless they are sidetracked by more imposition of 1977 rules in a 2007 environment by vocal opponents at large and in Congress who understand neither the sources nor methods utilized.

And, hopefully, someone in or under the ODNI is willing to think and act outside the box to enable a better in house ability to do the same. If AQ and its rather educated cadre is facile on the internet, it is about time we, the Intel Community, should be equaly facile and view the internet as a battle space and a force multiplier, and a means to thwart an enemy with a lot more vigor than we have thus far shown.

Posted by Maston | October 12, 2007 9:54 AM

Someone at the White House or DHS leaked the tape to Fox News. That leak should be stopped, irrespective of the fact the Fox is our friend.

Posted by David M | October 12, 2007 10:21 AM

Trackbacked by The Thunder Run - Web Reconnaissance for 10/12/2007
A short recon of what’s out there that might draw your attention, updated throughout the day...so check back often.

Posted by BB | October 12, 2007 10:54 AM

Do we not have a surfeit of destructive hackers in our own land? Perhaps we should recruit and or sentence such persons to engage this front?

Posted by LarryD | October 12, 2007 11:18 AM

Maybe not, Maston. Read this summary at Mudville Gazette.

But to buy SITE's version of events - that someone in the administration leaked news of Katz's email - requires one to ignore the fact ABC reported at 9:23 that "government intelligence sources" had the video and a transcript.

It takes time to write an article, even if all the information is spoon fed to you. Let's say it took only 20 minutes (hard to believe, but possible). ABC still had to have been tipped off before that. So we have to back this up to 9 am to begin writing and, what? 8:30 at the very latest for ABC to have been contacted and decide to write the article?

Also, now we know ABC posted the video before FoxNews. Sounds like they may have been the first to do so.

How likely is it that TWO leakers leaked the same story, on the same day, involving TWO copies of the video and TWO transcripts (one some time before 9:23 and one after Katz contacted Dan Fielding "around 10 am")?

That is the time of the original leak. And isn't it interesting that ABC had a link to the transcript up before Fox? That is what I couldn't establish yesterday.

Posted by coldwarrior415 | October 12, 2007 11:45 AM


I have it from a fairly reliable source that the Agency has been trying to do just that, not all that successfully though. Letting a fox alone in the henhouse, especially a fox whose previous activities were of a nature to call the attention of law enforcement, is not a particularly good way to conduct the business of national security affairs. If they can hack into BankOne, what is to prevent them from achieving the ultimate hack? That being hacking into intelligence circuits or inter-agency bigoted circuits to peruse or leave gifts?

Recruiting from outside and within our own ranks those who possess the mental accuity to be trained to be hackers seems a better route to take. But there is resistance to having young blood hackers who in their prior incarnation were living in the basement swapping SSAN's and corporate and government passwords being brought in to the Agency even as instructors.

But, BB, the gist of your suggestion is quite valid. My kid knows more about the internet and computers than I will ever know. I rely on him often. There should be a secure way to recruit from within that wide range of destructive hackers living in basements across America. I'd much prefer that than having to depend on farmed out contractors, domestic and foreign.

Posted by jerry | October 12, 2007 12:07 PM


ABC News was the "leaking" news agency not Fox. SITE open source intelligence is unclassified. Private organizations do not have the authority to classify information. Contractors working on classified data have a form DD 254 attached to their signed contract which authorizes them to receive classified and to classify information/data generated on the contract.. If the data was owned by SITE then it is proprietary information/data and is protected under contract and privacy laws.

Your lack of knowledge about the handling and creation of classified material and your attempt to blame Fox indicates that you are most likely a moveon.org/Kos troll.

Posted by Maston | October 12, 2007 12:47 PM

The question is, who leaked it? Fox News and ABC News and probably others got the tape from someone inside the Administration. SITE seems to be doing good work that benefits the country in the fight against terrorist organizations, so why compromise their work?

Maybe the leaker was someone leaving the Administration who is looking to get into the news business.

Posted by coldwarrior415 | October 12, 2007 12:57 PM

Maston, your basic understanding of what constitutes classified information and what does not notwithstanding, your conjecture that someone in the Administration looking to get in the news business is, to be polite, somewhat shallow.

ANY member of any Administration in any capacity in policy planning and implementation,, or involved in public affairs, can dictate a price for their being hired by a news organization. Using a purloined unclassified proprietary contractor document to gain favor in the hiring process would count against them not in favor of them in the eyes of even the most left-wing or right wing legitimate news outfit.

If there was a "leak" as leaks are looked upon under current law, I suspect a staffer, of the Administration or the contractor, an ash-and-trash type, not a principal, who was offered a dangle of cash, to allow one news outfit to obtain a scoop over another.

Or, I would lean heavily to a dangle of this entire "leak" as a means to operationally verify the electronic chain of command of AQ in various parts of the world in order to confound their efforts or to establish a current electronic command and reporting chain on AQ.

Posted by richard miniter | October 12, 2007 2:21 PM


The intel work on the internet that you call for is already being done--it is contracted out because the CIA and DIA and so on have a number of privacy and other restrictions that do not apply to private-sector outfits. The priavacy nuts have made it impossible for the feds to do it directly.

Thus, the White House leak of the katz UBL video was very damaging. The SITE Institute was a unique resource which the agencies do not have on their own and now it is gone. At least for a while.

Posted by piscivorous | October 12, 2007 7:11 PM

In addition to it not being fatal I wonder just what useful information the monitoring entities, both public and private, garnered from monitoring the shut down. some of the most interesting data garnered from disaster analysis is obtained from reverse engineering the disaster. Monitoring a system shutdown should provided some interesting data and actually shed some light on the extent of the network and how to attack it in the future. Perhaps the leak was more intelligence driven than people would have the public believe.

Posted by coldwarrior415 | October 12, 2007 7:26 PM

piscivorous, sshhhh! You are getting a bit too close to something that is working. :-)

You are very correct in the reverse engineering analysis of the shutdown. As the systems come back online, and they are, it is very enlightening.

Posted by Dawn | October 12, 2007 8:20 PM

Richard Miniter!


Posted by Looking Glass | October 13, 2007 12:49 AM

The Jawa Report has a different take on the situation. Al Qaeda's Compromised Intranet & Our Compromised Intel?

A lovely bit from the article.

Noah Schachtman calls it "al Qaeda's Intranet". Other cybergeeks are calling it "Obelisk". I like to call it, "the part of the password protected forum where jihadis swap beheading videos before they post them to the regular password protected forums where wannabe jihadis view them."

Yes, it's that mundane.

Post a comment